Many variants of the Operating System varieties available these days, are built with Sqlite preconfigured on it. Anyway the application source code is open source and thus can be used for manual installation. Apple Mac Operating System apart from being development friendly also features a preinstalled Sqlite application in some of its versions making it suitable and expedient for investigative purposes.
The first time that Mac started coming with Sqlite as a part of it, was with OS X version. Also, the OS is development friendly and comes preinstalled with a number of development tools, including Sqlite. Official implementation of the program took place with the introduction of Mac OS X Tiger and subsequent versions. The forensic analysis of Sqlite database is convenient than any other storage type. Sqlite generates a large number of data and program files for supported applications. Therefore, no layer of security is applied to the access of the DB file. This also makes the file unsuitable for the storage of sensitive data on it as plenty of commercial database browser applications are available in the market with the ability to read its contents.
Mac Based Applications and the Role of Sqlite
The provision of Sqlite by default on Mac OS was done in order to support development purposes and media administration. However, the version of Sqlite varied on the basis of Mac OS version being used. The usage of applications and storage done by them prove greatly helpful during forensic investigations. Therefore, we have accumulated a list of programs that Mac OS comes with that also happen to do their storage in Sqlite database file. The programs on backend use Sqlite DB for data storage purposes which can be parsed to further examine activities and configuration details associated with the particular application. One of the many applications that can be used here as an example, is the Safari web browser owing to its excessive use.
Safari: Web browsers being the most commonly and aggressively used applications tops the list. Safari browser earlier used to store its history in history.plist file whereas, lately the storage changed to a Sqlite DB file. What’s more interesting is that the browser is also capable of storing the private browsing data that we consider to be kept privately. Webpageicon.db may not look like the kind of database a browser should be storing URLs of websites visited privately, but it does. Even if you browse in a private session, this database file stores all the visited URLs in place in a Table named URL.
Conclusion: The usage of Sqlite for the storage of application data on Mac Operating Systems has evidently made performing forensics on it, feasible and productive. Complete activities of a Mac OS user can be tracked down from their respective machine, just by parsing through the database files of important applications like; web browser, email client, address book, calendar, etc. Therefore, the storage path and a Sqlite Mac Forensic Explorer application is all that is needed to perform Sqlite Mac Forensics.